Actions
bug #9218
closedChange /registrationDTO/identifier/... signatures to use query parameters instead
Status:
Closed
Priority:
Highest
Assignee:
Category:
cdmlib-remote
Target version:
Start date:
Due date:
% Done:
100%
Estimated time:
Severity:
normal
Found in Version:
Description
Using slashes, double slashes, back slashes in URLs has security implications (see CVE-2007-0450). More recent spring-security releases (e.g. >4.2.18.RELEASE) therefore reject urls like these here:
http://cdmserver.org/registrationDTO/identifier/http://testbank.org/100001 http://cdmserver.org/registrationDTO/identifier/http%3A%2F%2Ftestbank.org%2F100001
The apache configuration also needs a special security configuration to allow encoded slashes (see also #7563)
# # NOTE: AllowEncodedSlashes is off per default to prevent possible security vulnerabilities. # To allow the cdmserver resolving http identifiers via HTTP GET requests it is required to # allow encoded slashes. See https://dev.e-taxonomy.eu/redmine/issues/7563 # AllowEncodedSlashes On
We should completely abstain from using slashes or double slashed in the requests to the RegistrationDTOController
by introducing according query parameters instead
Related issues
Actions